5 ways to never trust, always verify in zero trust IT
Is your IT like an M&M? Does your security have a hard, crunchy exterior and soft, chewy interior? Perhaps it's time to implement a zero trust IT security approach.
)
)
)
)
)
The following is a guest post from Andy Doyle at Armstrong, a leading UK based, professional services provider and IT reseller.
This M&M approach to security believes in perimeters to keep the bad people out, and at the same time “trust but verify” users (and assets, files, programs and data) inside the perimeter. Industry security experts dealing with headline breaches are signalling that this has to change.
It’s a reality of business life that SLAs and “squeaky wheels getting the oil” (think CEO complaining about a broken laptop) are priorities over security. When businesses prioritise availability over integrity and confidentiality the security controls and verification can be weak.
Threat sources are increasing due to the emergence of the use of mobile devices for work and the blurring of home versus work life. Leading industry observers were calling 2015 as the year of Cyberwar and in most cases the headline breaches were not caused by network breaches, but instead by user breaches such as stolen credentials where the criminal walks through the front door with a key. Worse still, many breaches are still inside jobs.
According to the NIST and Forrester (Developing a Framework to Improve Critical Infrastructure Cybersecurity, NIST & Forrester, 2013), in approximately 80% of all breaches IT security is the last one to know and they are often informed of the breach by third parties. The “trust but verify” model has broken down and a new model of “never trust, always verify,” or Zero Trust IT, has emerged.
So how do you move to a Zero Trust model?
Five things you can do to implement zero trust IT
Zero Trust IT is about no longer relying on just a firewall to divide untrusted from trusted and to now assume everything “inside” the firewall is also untrusted. IT security has, historically, been implemented mostly at the network layer with things like firewalls on the perimeter and on devices. In Zero Trust IT there is a shift in focus to add all of IT in the security scope.
An intruder in your IT systems can be likened to an intruder in your house at night. In the dark they need to bump and feel their way around to create a map, and in the way of doing so they knock over vases and leave marks on the walls. These signs of intrusion are the key verification in Zero Trust IT.
To implement Zero Trust IT you need to implement Audit and Compliance controls (like locking doors) and verification (listening for bumps in the night):
1. Manage users as untrusted entities
Using controls to limit and verify user access to applications, systems and data.
2. Value data above networks
Put in place file controls and monitoring.
3. “Log everything” is the new mantra
Make sure your logging systems are trustworthy so rogue users can’t hide their tracks.
4. Track changes on your systems
Receive real time alerts to limit breaches and also provide historical data for investigations to support disciplinary procedures.
5. Network security up to the end point
Which can be a mobile phone today.
Armstrong is a leading UK based IT reseller, providing a range of cutting-edge products for IT Auditing, Monitoring, Management, and Security as well as the services to help you make the most of them, including consultancy, training, installation and support.